Lucene search

[email protected]NVD:CVE-2024-41226

HistoryAug 06, 2024 - 2:16 p.m.

CVE-2024-41226

2024-08-0614:16:04

CWE-1236

[email protected]

web.nvd.nist.gov

automation anywhere

csv injection

code execution

vulnerability

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

22.3%

JSON

A CSV injection vulnerability in Automation Anywhere Automation 360 version 21094 allows attackers to execute arbitrary code via a crafted payload. NOTE: Automation Anywhere disputes this report, arguing the attacker executes everything from the client side and does not attack the Control Room. The payload is being injected in the http Response from the client-side, so the owner of the Response and payload is the end user in this case. They contend that the server’s security controls have no impact or role to play in this situation and therefore this is not a valid vulnerability.

Affected configurations

Nvd

Node

automationanywhereautomation_360Match21094

VendorProductVersionCPE
automationanywhereautomation_36021094cpe:2.3:a:automationanywhere:automation_360:21094:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
automationanywhere	automation_360	21094	cpe:2.3:a:automationanywhere:automation_360:21094:::::::*

References

medium.com/%40aksalsalimi/cve-2024-41226-response-manipulation-led-to-csv-injection-9ae3182dcc02

www.automationanywhere.com/products/automation-360

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

22.3%

JSON

Related for NVD:CVE-2024-41226

cve1 cvelist1 vulnrichment1